Twitter Set To Introduce Two-Factor Authentication

Following several high-impact password breaches, Twitter could introduce two-factor authentication (2FA) on its website.

The rumour was all but confirmed through a job listing, looking for a software engineer in product security, with experience in areas such as “multifactor authentication and fraudulent login detection”.

Just last week, 250,000 Twitter accounts had their passwords reset, after Twitter detected a breach of its servers, in which usernames, email addresses, session tokens and encrypted versions of passwords were compromised. According to Twitter, there’s no telling how many users actually had their details accessed, or who carried out the attack.

It has also emerged today that Twitter will pay around $70 million to acquire Bluefin Labs, a social TV analytics company. The new resources could be used to improve the relationship with TV content providers and further develop Twitter’s ‘second screen’ functionality.

Better living through security

Two-factor authentication is an authentication method which requires the presentation of at least two out of three factors: a knowledge factor (such as a password or PIN) and a possession factor (such as a keycard or a smartphone) or another inherent factor (like a fingerprint or eye iris pattern). Twitter hasn’t officially confirmed it will introduce 2FA, but in light of recent cyber attacks, several analysts agree it is the reasonable thing to do.

According to Ars Technica, Twitter currently employs OAuth as its authentication protocol, and Secure Socket Layer (SSL) encryption, which was added in August 2011, as a way to protect data being sent to and from its servers.

Two-factor authentication would have prevented any widespread account compromise on the micro-blogging platform last week. With 2FA, even if the password is stolen, no one besides the original owner will be able to access the account.

Google and Microsoft have already introduced a form of 2FA. For example, if a user attempts to log into Gmail from an unfamiliar device, Google could send a confirmation request to the phone linked to the account in question.

“It’s something that we’ve wanted for some time,” Graham Cluley, senior technology consultant at Sophos, told the Guardian. “We’ve often said we would be prepared to pay for it – Twitter could monetise it by offering it to corporations and branded accounts. It would be pretty attractive.”

Some analysts have pointed out that two-factor authentication is not without its drawbacks. For example, losing the physical token “will be a pain, just like losing a key for a physical lock would be,” writes Brian Proffitt from ReadWrite.

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope.
If you find him looking lost on the streets of London, feed him coffee and sugar.